topic Re: mac auth in Network Access Control

mac auth

suthomas1 — Thu, 05 Aug 2021 00:55:22 GMT

Good day all,

To get an IP phone connected to network via mac auth, is there any setting to be done on the ip phone itself?

there appears to be an authentication/802.1x option in it...what state does it need to be in for successful mac-auth.

Thanks in advance.

Re: mac auth

Damien Miller — Thu, 05 Aug 2021 01:07:43 GMT

Most rely on mac auth aka MAB to authorize phones to the network. Depending on the vendor, you certainly could leverage the phone supplicant to do 802.1x, I see a mix of companies that go that route vs not.

Cisco phones are fairly easy to configure from call manager to use the built in manufacture installed cert, but you could go further and issue your own certs to them.

More often we focus on authorizing phones to the voice vlan. If your phones are showing in the show auth sessions cli command as voice domain, then you already have that covered.

Re: mac auth

suthomas1 — Thu, 05 Aug 2021 01:29:11 GMT

Thnaks Damien.

if using MAB only, does the auth option inside the cisco phone needs to be enabled?

If using manufacturer cert, that will be eap-tls i believe ? & in that case auth on phone should be turned on?

Re: mac auth

Damien Miller — Thu, 05 Aug 2021 01:47:06 GMT

If you're OK with the phones doing mab then that's fine. They will work without issue.

Yes, you would enable the phones to do 802.1x and eap-tls if you wanted to use the mic cert.

Re: mac auth

suthomas1 — Thu, 05 Aug 2021 03:54:56 GMT

So being MAB, will the mac be learnt by ise if the auth is turned off on the phone itself? or does it need auth turned on for mac to be learnt by ise unless mac is manually entered into ise?